An electric scooter popular with dockless, ride-sharing services can be made to suddenly accelerate or brake mid-ride thanks to a flaw in the device’s Bluetooth module, security research firm Zimperium reported Tuesday.
In a video published today, Zimperium researchers were able to demonstrate their “proof of contact” involving Xiaomi’s popular M365 scooter. The scooter was designed to allow users to remotely lock it using a Bluetooth-enabled app, preventing someone from riding it.
Through the hack, Zimperium was able to target any passerby riding any Xiaomi M365 —locking the device, as well as forcing it to accelerate and brake, without physically accessing the scooter. The researchers could issue commands to manipulate any scooter up to 100 meters (328 feet) away.
The security flaw could be used by malicious hackers to carry out a number of attacks. A Denial of Service (DoS) attack could be used to remote lock any M365 scooter, while a malware attack could be used to install a new firmware that could take full control of the scooter. Hackers could also target an individual rider and cause the scooter to suddenly brake or accelerate.
Zimperium says it reported the vulnerability to Xiaomi, which has yet to update its software. But a spokesperson for the Chinese company said Zimperium did not reach out through Xiaomi’s security reporting tool. A Zimperium spokesperson provided a copy of the official report filed through Xiaomi’s security portal, in which the company calls the bug “a known issue internally.”
The Xiaomi M365, manufactured by China’s Segway-Ninebot, is one of the most popular models with US-based ride-sharing companies like Bird and Lime. A spokesperson for Bird said its scooters are not effected by the bug, which it has known about for over a year. A spokesperson for Lime did not respond to a request for comment. In October, Lime removed an undisclosed number of Segway-Ninebot scooters from its fleet amid concerns about battery fires.
It is unclear how many Xiaomi M365 scooters are in use by US ride-sharing companies today, but most have been known to use it in their fleets alongside the Segway ES model.
“It might have implications on any ride-sharing service that uses Xiaomi scooters but didn’t disable or replace Xiaomi’s bluetooth module,” said Rani Idan, security researcher and director of platforms at Zimperium, in an email. “Moreover, Xiaomi scooters are rebranded and sold under different names, those might be affected.”
This isn’t the first security flaw discovered in the fast-growing electric scooter market. Bird got caught up in a controversy over a story about $30 kits to hack its scooters. The kits, which ship from China, are essentially a plug-and-play way to disable the Bird recovery and payment features to turn the scooter into your own personal one.